package com.hz.tgb.filter;

import com.hz.tgb.crypto.aes.BackAES;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;

/**
 * 对参数进行解密，以及进行XXS保护。
 *
 * @author hezhao on 2015年6月9日
 */
public class MyHttpRequest extends HttpServletRequestWrapper {

	/** 原始Request */
	private HttpServletRequest orgRequest;
	/** 加密字符串 */
	private String AES_KEY = "dAA%D#V*2a9r4I!V";

    private static final Pattern SCRIPT_PATTERN_1 = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_2 = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_3 = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_4 = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_5 = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_6 = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_7 = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_8 = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_9 = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_10 = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    private static final Pattern SCRIPT_PATTERN_11 = Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_12 = Pattern.compile("</iframe>", Pattern.CASE_INSENSITIVE);
    private static final Pattern SCRIPT_PATTERN_13 = Pattern.compile("<iframe(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	
	public MyHttpRequest(HttpServletRequest request) {
		super(request);
		orgRequest = request;
	}

	/**
	 * 覆盖getParameter()方法，将参数名和参数值都做xss过滤。<br/>
	 * 如果需要获得原始的值，则通过super.getParameter(name)来获取<br/>
	 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
	 */
	@Override
	public String getParameter(String name) {
		String value = super.getParameter(xssEncode(name));
		if(value != null) {
			value = BackAES.decrypt(value, AES_KEY, 0);
			value = xssEncode(value);
		}
		return value;
	}

	/**
	 * 覆盖getParameterValues()方法，将参数名和参数值都做xss过滤。<br/>
	 * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>
	 */
	@Override
    public String[] getParameterValues(String parameter) {
		String[] values = super.getParameterValues(xssEncode(parameter));
		if (values == null || values.length == 0) {
			return null;
		}
		String value;
		int count = values.length;
		String[] encodedValues = new String[count];
		for (int i = 0; i < count; i++) {
			value = BackAES.decrypt(values[i], AES_KEY, 0);
			encodedValues[i] = xssEncode(value);
		}
		return encodedValues;
	}
	
	/**
	 * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>
	 * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>
	 * getHeaderNames 也可能需要覆盖
	 */
	@Override
	public String getHeader(String name) {
		String value = super.getHeader(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}

	/**
	 * 获取最原始的request
	 * 
	 * @return
	 */
	public HttpServletRequest getOrgRequest() {
		return orgRequest;
	}

	/**
	 * 获取最原始的request的静态方法
	 * 
	 * @return
	 */
	public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
		if (req instanceof MyHttpRequest) {
			return ((MyHttpRequest) req).getOrgRequest();
		}
		return req;
	}

	public String escape(String s) {
		StringBuilder sb = new StringBuilder(s.length() + 16);
		for (int i = 0; i < s.length(); i++) {
			char c = s.charAt(i);
			switch (c) {
				case '>':
					sb.append('＞');// 全角大于号
					break;
				case '<':
					sb.append('＜');// 全角小于号
					break;
				case '\'':
					sb.append('‘');// 全角单引号
					break;
//				case '\"':
//					// 有可能影响到json格式字符串中的双引号。
//					sb.append('“');// 全角双引号
//					break;
				case '\\':
					sb.append('＼');// 全角斜线
					break;
				case '%':
					sb.append('％'); // 全角冒号
					break;
				default:
					sb.append(c);
					break;
			}

		}
		return sb.toString();
	}

//	/**
//	 * 将容易引起xss漏洞的半角字符直接替换成全角字符
//	 *
//	 * @param s
//	 * @return
//	 */
//	private static String xssEncode(String s) {
//		if (s == null || s.isEmpty()) {
//			return s;
//		}
//
//		StringReader reader = new StringReader(s);
//		StringWriter writer = new StringWriter();
//		try {
//			HTMLParser.process(reader, writer, new XSSFilter(), true);
//			return writer.toString();
//		} catch (NullPointerException e) {
//			return s;
//		} catch (Exception ex) {
//			ex.printStackTrace(System.out);
//		}
//		return null;
//	}

	/**
	 * 将容易引起xss漏洞的半角字符直接替换成全角字符
	 * 
	 * @param s
	 * @return
	 */
	public String xssEncode(String s) {
		if (s == null || s.isEmpty()) {
			return s;
		}

		String result = stripXSS(s);
		if (null != result) {
			result = escape(result);
		}

		return result;
	}

	private String stripXSS(String value) {
		if (value != null) {
			// NOTE: It's highly recommended to use the ESAPI library and
			// uncomment the following line to
			// avoid encoded attacks.
			// value = ESAPI.encoder().canonicalize(value);
			// Avoid null characters
			value = value.replaceAll("", "");
			// Avoid anything between script tags
			value = SCRIPT_PATTERN_1.matcher(value).replaceAll("");
			// Avoid anything in a src='...' type of expression
			value = SCRIPT_PATTERN_2.matcher(value).replaceAll("");
			value = SCRIPT_PATTERN_3.matcher(value).replaceAll("");
			// Remove any lonesome </script> tag
			value = SCRIPT_PATTERN_4.matcher(value).replaceAll("");
			// Remove any lonesome <script ...> tag
			value = SCRIPT_PATTERN_5.matcher(value).replaceAll("");
			// Avoid eval(...) expressions
			value = SCRIPT_PATTERN_6.matcher(value).replaceAll("");
			// Avoid expression(...) expressions
			value = SCRIPT_PATTERN_7.matcher(value).replaceAll("");
			// Avoid javascript:... expressions
			value = SCRIPT_PATTERN_8.matcher(value).replaceAll("");
			// Avoid vbscript:... expressions
			value = SCRIPT_PATTERN_9.matcher(value).replaceAll("");
			// Avoid onload= expressions
			value = SCRIPT_PATTERN_10.matcher(value).replaceAll("");

			value = SCRIPT_PATTERN_11.matcher(value).replaceAll("");

			value = SCRIPT_PATTERN_12.matcher(value).replaceAll("");
			// Remove any lonesome <script ...> tag
			value = SCRIPT_PATTERN_13.matcher(value).replaceAll("");
		}
		return value;
	}
}
